1 Reply Latest reply on Mar 7, 2006 8:03 AM by chris griffith

    Form Authentication problem with jboss 3.2.8 / 4.0.3SP1

    roberto roberto Novice

      My WAR is configured to use FORM auth method.

      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name></realm-name>
      <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/LoginErrorPage.jsp</form-error-page>
      </form-login-config>
      </login-config>

      i have also a security constraint:

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>all</web-resource-name>
      <url-pattern>*.jsp</url-pattern>
      <url-pattern>/index.html</url-pattern>
      <auth-constraint>
      <role-name>everyone</role-name>
      </auth-constraint>
      </security-constraint>

      So when a user try to connect to every JSP or index.html the login form is open. and this works fine.

      The problem occurs when credential is not valid.
      The Web container must call the form-error-page so in my case LoginErrorPage.jsp.
      But seem that web container check apply thesecurity contraint and so call again the form-login-page (login.jsp).

      i try also to add the run-as role for login jsps.


      <servlet-name>login</servlet-name>
      <display-name>Login</display-name>
      Login
      <jsp-file>/login.jsp</jsp-file>
      <run-as>
      <role-name>everyone</role-name>
      </run-as>


      <servlet-name>loginError</servlet-name>
      <display-name>Login Error</display-name>
      Login Error
      <jsp-file>/LoginErrorPage.jsp</jsp-file>
      <run-as>
      <role-name>everyone</role-name>
      </run-as>

      <servlet-mapping>
      <servlet-name>login</servlet-name>
      <url-pattern>/login.jsp</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
      <servlet-name>loginError</servlet-name>
      <url-pattern>/LoginErrorPage.jsp</url-pattern>
      </servlet-mapping>

      the role everyone is well declared...

      Any idea?
      or it's a bug?

      I think it's a bug because in every case the LoginErrorPage.jsp must run as the role name "everyone" and also because under WebSphere the same configuration works fine.

      Thank You

        • 1. Re: Form Authentication problem with jboss 3.2.8 / 4.0.3SP1
          chris griffith Expert

          Roberto,

          I do not think this is a bug. The problem is that you have added a security constraint to your LoginErrorPage.jsp page. The container is behaving exactly as you have asked it to. If you do not want your LoginErrorPage.jsp covered by this constraint then you should remove it.

          Also, the servlet run-as element specifies a role the servlet takes on when it is executing. This does not cover the role a principal must have to access the servlet.

          Hope this helps clearify things, cgriffith